Single Sign-On with X.509 certificates #297
Comments
|
In order to authenticate user using certificate, TheHive must be able to extract user login from the certificate provided by client. User login can be in subject RDN and in alternative subject name. With this kind of authentication you can't use reverse proxy and if you want to use standard port (443/tcp), TheHive must be run with root user, which is not recommended (or add a rule in your local firewall to translate the port). |
|
UserPrincipalName is also a very common attribute of Certificates, where I think this functionallity would make sense ;) |
|
UserPrincipalName is usually in SubjectAlternativeName but I don't know how to extract it. Using Java API, it doesn't seem easy. Maybe I should have a look at Bouncy Castle library. |
|
In our case the user login in name is the X.509 subject Common Name (CN). |
|
Thank you. It uses Bouncy Castle. I prefer not to depends on this library. I'll try to understand how it extracts upn from certificate and implement my own function (if not too complicated). |
|
Any news about this @To-om ? |
|
This feature has been implemented but not fully tested. I'll add it in the next release as beta (planned the 5th of December). If changes is need, I'll push hotfix. |
|
I'm happy to test it ;) |
Request Type
Feature Request
Hello Team,
we have the request to enable Single Sign-On with X.509 certificates for TheHive.
So this means to enhance the Play SSL Server to accept and read X.509 certificates for configured CAs. By this option users do not have to provide user and password to authenticate but have a convenient and secure way of authenticating to the system.
Play allows to implement a customer SSL Engine -
https://www.playframework.com/documentation/2.6.x/ConfiguringHttps
thank you
marc
The text was updated successfully, but these errors were encountered: